This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-quarantined-build-runner.md

1.1 KiB

Pattern: Quarantined Build Runner

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, product repos Genesis family: Supply chain

Problem

Build jobs often process untrusted code while also having access to secrets, registries, signing keys, or deployment credentials.

Context

Use this pattern for CI/CD runners, release builders, image builders, dependency test jobs, and signing workflows.

Forces

  • Builds need network and artifact access.
  • Pull requests may contain untrusted code.
  • Signing and deployment credentials are high impact.
  • Runners need cleanup and isolation between jobs.

Solution

Run build jobs in isolated, least-privilege environments with limited secrets, scoped network access, clean workspaces, and separate trusted release/signing stages.

Verification

  • Untrusted jobs cannot access release or deployment secrets.
  • Runner workspaces are isolated and cleaned.
  • Network and registry access are scoped.
  • Signing happens only in trusted release contexts.
  • SLSA Build Provenance.
  • Signed Container Images.
  • Dependency Update Bot.
  • Protected Main Branch.